Use Cases:
Since the COVID-19 pandemic, many companies have leveraged VDI Horizon infrastructure to accommodate their remote workers. Today remote users connect to VDI Horizon infrastructure over many different means home ISP connections, company-issued cellular devices/hotspots on multiple carriers, as well as personal devices. We have identified an issue with cellular devices traversing the ATT Wireless network connecting to VDI Horizon infrastructure.
The Architecture:
I wanted to simplify the VDI Horizons infrastructure discussion to just the pieces that are crucial to the issue. The relevant parts that come into play for user access to the Horizons environment is the VMWare Horizon client, hardware load balancers, and the UAG or User Access Gateway servers.
The Protocols:
VDI Horizons traffic is split between primary and secondary protocols. The primary protocol used for authentication is over HTTPS or port 443. Within the ATT wireless network, this traffic is sourced from the primary enterprise PAT address. After the VMware Horizon client has authenticated and established secure communication to one of the UAG appliances, one or more secondary connections are made from the Horizon client. These secondary connections can include:
• Blast Extreme display protocol (TCP 443 and UDP 8443). Note that UDP is optional with Blast.
• PCoIP display protocol (TCP 4172 and UDP 4172).
The secondary Horizon protocols must be routed to the same UAG appliance and from the same client IP address that the primary Horizon protocol was authenticated from. The UAG authorizes the secondary protocols based on the authenticated user session. The UAG will only forward traffic into the corporate data center on behalf of an authenticated user.
The Symptoms:
On the ATT Wireless network when a user's Horizon client connects to a virtual IP address it is load balanced to a UAG server and the session is authenticated. The IP address of the traffic is sourced and authenticated using the device’s IP address, this is true for all networks. When the Horizon client attempts to connect to the secondary protocol the traffic destined to the secondary protocol port, UDP 8443, or TCP or UDP 4172, is routed through a proxy within the ATT network. When the traffic is routed through the ATT proxy the source IP address of that traffic is different than the original device IP that was used to authenticate the user session and the VMware UAG server rejects the traffic. In some situations, the load-balanced traffic may even be sent to a different UAG server. This seems to be true for all users on the ATT Wireless network.
Moving toward a solution:
The first part of solving the problem is identifying the cause, and we believe that is done. Since the IP address of the primary and secondary protocols are different, the Horizons server rejects the traffic or perhaps never sees the traffic based on load balancing and persistence settings of the load balancer. ATT network engineers have been very helpful with troubleshooting and validating that our assumptions are accurate and are currently looking at solutions to solve the issue.
**Update** the ATT sales people that where interfacing with the ATT technical staff have informed us it is not possible to fix the issue. They are trying to sell us a cellular router that they say can be routed over an APN to solve the issue, instead of letting the technical folks fix the issue for us and potentially everyone else on the ATT wireless network.
What would we like to see:
We would like to see the secondary protocols included in the enterprise PAT and not routed through the proxy. If this was implemented, it could fix VDI Horizons across the entire ATT Wireless environment for everyone.
So SolarStorm the SolarWinds supply chain hack... Yeah.... You might have heard about it?
SolarWinds supply chain was compromised. What that means is a trojanized version of a SolarWinds package was uploaded and distributed to their clients . The infected package contained malware named SUNBURST, and when clients installed the infected package it also installed the malware. The malware creates a backdoor to allow the bad actors to control the server, move laterally, and exfiltrate data. Basically what ever they want....
Updated Solarwinds Attack Lifecycle:
What should you do now:
As information starts to come out and the initial freak out calms down we are learning more about the impact of these exploits, and they are pretty huge. I wanted to gather a collection of information and vendor responses in one place to try to help fellow nerds have a resource of reliable information.
SolarWinds
- Security Advisory https://www.solarwinds.com/securityadvisory
Fireeye Links
- Initial write up about the Sunburst https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- Counter Measures https://github.com/fireeye/sunburst_countermeasures
- Emergency Directive https://cyber.dhs.gov/ed/21-01/
Palo Alto Networks Unit 42
- Analysis of Sunburst https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/
- Information https://blog.checkpoint.com/2020/12/16/solarwinds-sunburst-attack-what-do-you-need-to-know/
Cisco Networks
Splunk
- Response and Identification tool https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
Mcafee
Microsoft
- Pretty tough to get through :( https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/
- **Customer Guidance: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
Infoblox
Elasticsearch (Elastic Security)- Response and Identification tool https://www.elastic.co/blog/elastic-security-provides-free-and-open-protections-for-sunburst
- **Assessing the SolarWinds hack with their tool: https://www.crowdstrike.com/blog/tech-center/assess-solarwinds/
During the pandemic, I have been binging more and more Star Wars shows on Disney+. While I have been taking in all that Star Wars it hit me I wasn't sure when these individual shows or movies took place in the canon timeline. Shows like the Mandalorian throw in some deep-cut references that I didn't get until I understood when it took place.
So I wanted to put up a list in chronological order to help myself and hopefully, everyone else enjoy Star Wars a little bit more.
- Episode I Phantom Menace
- Episode II Attack of the Clones
- Clone Wars (movie)
- Clone Wars (tv show S1-7)
- Episode III Revenge of the Sith
- Solo: A Star Wars Story
- Star Wars: Rebels (S1-4)
- Rouge One: A Star Wars Story
- Star Wars: A New Hope
- Battlefront (video game)
- The Empire Strikes Back
- Return of the Jedi
- Battlefront II (video game)
- The Mandalorian
- Star Wars: Resistance S1 (tv show)
- The Force Awakens
- Star Wars: Resistance S2 (tv show)
- The Last Jedi
- Rise of Skywalker
Also if you want more in depth info I found this interactive site that lists alot more then just TV and movies. https://starwarscanontimeline.com/
Enjoy!